Audit and Risk Committee minutes 24 September 2025

Minutes of the Meeting of the Cardiff University Audit and Risk Committee held on Wednesday 24 September 2025 at 14:00 in Room 0.62, Bute Building.

Present: Dr Robert Weaver (Chair), Aneesa Ali, Pers Aswani, Suzanne Rankin, Craig Watkins.

In Attendance: Helen Bennett [minute 1393], Rob Davies [minute 1394], Jonathan Brown (KPMG), Eleanor Hetenyi (KPMG), Victoria Holbrook, Professor Wendy Larner, Cheng Long, Sian Marshall, Catrin Morgan, Maxine Philpin-Jones [minute 1383], Dr Paula Sanderson, Laura Sheridan, Natalie Stewart, Professor Roger Whitaker [minute 1391] and Darren Xiberras.

1374 Welcome and preliminaries

1374.1 All were welcomed to the meeting, including Craig Watkins, who was attending his first meeting since his appointment to the Committee and to Council in August 2025.

1375 Apologies for absence

1375.1 Apologies were received from Dr Nick Starkey and Clare Everleigh. The meeting was confirmed as quorate.

1376 Declarations of Interest

The Chair reminded Committee members of their duty to disclose any potential conflicts of interest. Suzanne Rankin declared an interest in any matters relating to Cardiff and Vale Health Board owing to her role as Chief Executive of CVUHB.

1377 Minutes of the previous meeting

The minutes of the meeting held on 19 June 2025 (24/600C) were confirmed as a true and accurate record.

1378 Matters arising from the minutes

Received and considered paper 25/02 ‘Matters Arising’. The Chair spoke to this item.

Noted

Minute 1249.5

1378.1 that an item on generation AI had not been scheduled as there has not been time on the agenda;

Minute 1262.5

1378.2 that the effectiveness review with external input has been delayed to take place after the committee structure review had concluded.

1379 Constitution and membership

Received and considered paper 25/03 ‘Constitution and Membership’.

Noted

1379.1 that the role of the Funders Advisory Panel was to provide advice to the University on donations and research funding; that it had an advisory role only and did not form part of the University’s assurance framework.

Resolved

1379.2 to recommend the revised Constitution for Audit and Risk Committee to Council for approval.

1380 Items from the Chair

The Chair spoke to this item.

Noted

1380.1 that there were no chair’s actions to report.

1381 Strategic Risk Register

Received and considered paper 25/04C ‘Strategic Risk Register’. The Head of Compliance and Risk and Senior Risk Advisor joined the meeting for this item. The Chief Operating Officer and University Secretary spoke to this item.

Noted

1381.1 that horizon scanning had been embedded within the risk management process;

1381.2 that the new risk register was aligned to the University Strategy and University Success Measures (USMs); that all risks had been reviewed to determine whether they remained strategic risks and if they had either been brought within tolerance or had materialised; that further work would be required to input the risks to the 4Risk system and ensure that they were fully described;

1381.3 that six new strategic risks had been identified; that this included a new risk around artificial intelligence;

1381.4 that there was a need to review the risk tolerance and category definitions as part of the next steps;

1381.5 that dates for actions to be completed were included in the 4Risk system; that all actions were linked to controls;

1381.6 that future iterations of the report would contain more detail once the work to update the 4Risk system was completed; that full detail of each risk was not provided to the Committee given the volume of information held in the 4Risk system; that deep dives provided an opportunity for a more detailed review of each risk;

1381.7 that the Dental Hospital Building risk had materialised and was proposed for removal as the matter was being dealt with through the local incident management process; that a paper was being prepared to address the proposed future of the Dental School building; that any remaining infrastructure issues would be considered under the Fit for purpose estate risk;

1381.8 [Redacted]

1381.9 that risk management and internal controls was a two-way process; that this required a process to be in place to establish or adapt controls when risks emerged.

Resolved

1381.10 to recommend the proposed Strategic Risk Register to Council for approval;

1381.11 to schedule an opportunity for the Committee to review the full risk register and the University’s risk tolerance levels as part of a development session.

1382 Progress Report on the development of an Internal Controls Framework

Received and considered paper 25/05HC ‘Progress Report on the Development of an Internal Controls Framework’. The Chief Operating Officer and University Secretary spoke to this item.

Noted

1382.1[Redacted]

1382.2 [Redacted]

1382.3 [Redacted]

1382.4 [Redacted]

Resolved

1382.5 to approve the further work outlined;

1382.6 to review the data underpinning the internal control framework for one or more controls as part of a Committee development session.

Cheng Long left the meeting

1383 Regulatory Compliance (assurance map) Deep Dive

Received and considered paper 25/06HC ‘Regulatory Compliance (assurance map) Deep Dive’. The Compliance and Risk Advisor joined the meeting for this item. The Head of Compliance and Risk spoke to this item.

Noted

1383.1 [Redacted]

1383.2 [Redacted]

1383.3 [Redacted]

1383.4 [Redacted]

1383.5 [Redacted]

Resolved

1383.6  that the Committee commended the work being undertaken to enhance compliance and strengthen assurance.

1383.7 for the Committee to receive a copy of the regulatory compliance heatmap;

1383.8 for any gaps in the provision of training in key compliance areas to be reported to the Committee.

Catrin Morgan and Maxine Philpin-Jones left the meeting.

1384 External Audit Progress Report

Received and considered paper 25/07C ‘External Audit Progress Report’. KPMG spoke to this item.

Noted

1384.1 that the interim audit had been completed; that early sampling had been performed and supporting documentation had been requested;

1384.2 that the control recommendations from prior years had been reviewed with the Finance team; that progress had been made with many recommendations; however, it was too early to provide a view on whether any actions could be closed or downgraded as the risk profile could change with the completion of testing;

1384.3 that the control recommendation progress report was welcomed.

Resolved

1384.4 for the control recommendation progress report to be provided again in 2025-26, with an additional progress category of “maybe”.

1385 Action plan from audit recommendations

Received and considered paper 25/08C ‘Audit Recommendations Action Plan’. The Group Financial Controller spoke to this item.

Noted

1385.1 that progress to implement a journals authorisation control had been slower than anticipated owing to the complexity of the project; that this was in part due to the variations in staffing structures and processes at School-level; that progress had been made but the control weakness had not been addressed by the interim measure; it was planned that a system-based journal approval solution would be implemented during 2025-26;

1385.2 that the control would need to be in place for a full financial year for the control weakness to be removed; this meant that the control recommendation was unlikely to be closed until the 2027 audit;

1385.3 that improving the processes around identification of asset impairments continued to be a priority; discussions were on-going with KMPG to agree a suitable format for the documentation of the assessment of indicators.

1386 Internal Audit Strategy

Received and considered paper 25/09HC ‘Internal Audit Strategy’. The Head of Internal Audit spoke to this item.

Noted

1386.1 [Redacted]

1386.2  [Redacted]

1386.3  [Redacted]

1386.4 [Redacted]

1386.5 [Redacted]

1386.6 [Redacted]

Resolved

1386.7 to approve the Internal Audit Strategy.

1387 Internal Audit Progress Report

Received and considered paper 25/10HC ‘Internal Audit Progress Report’. The Head of Internal Audit spoke to this item.

Noted

1387.1 [Redacted]

1387.2 [Redacted]

1388 Internal Audit Report: Business Cases

Received and considered paper 25/23HC ‘Internal Audit Report Business Cases. The Head of Internal Audit spoke to this item.

Noted

1388.1 [Redacted]

1388.2 [Redacted]

1388.3 [Redacted]

1388.4 [Redacted]

1388.5 [Redacted]

1388.6 [Redacted]

1389 Internal Audit Report: Research Income

Received and considered paper 24/603HCR ‘Research income audit report’. The Head of Internal Audit spoke to this item.

Noted

1389.1 [Redacted]

1390 Internal Audit Recommendations Follow-up Report

Received and considered paper 25/11HC ‘Internal Audit recommendations follow-up report’. The Head of Internal Audit spoke to this item.

Noted

1390.1 [Redacted]

1390.2 [Redacted]

1390.3 [Redacted]

Resolved

1390.4 to request that UEB undertake an analysis and assessment of the priority 1 overdue recommendations and to report the findings to the Committee’s March meeting;

1390.5 for the Head of Internal Audit to evaluate whether the timelines put in place for actions were appropriate or overly optimistic.

1391 Research Commercialisation Internal Audit Recommendations

The Pro Vice-Chancellor, Research, Innovation and Enterprise spoke to this item.

Noted

1391.1 that the business case to establish Cardiff Innovations Limited, a wholly-owned commercial vehicle for the University’s research commercialisation activity, was approved in April 2025 and implementation was in progress; this included recruitment of the project team and a number of further workstreams;

1391.2 that the project formed part of the transformation programme and its governance structure;

1391.3 that links with Queen Mary Innovation at Queen Mary University of London had been developed to ensure best practice in the approach taken;

1391.4 that the formal launch of the University spin-out Draig Therapeutics had been held.

Prof Roger Whitaker left the meeting.

1392 Internal Audit Service Annual Report 2024/25

No report was received under this item.

1393 Financial Compliance – Annual Report

Received and considered paper 25/12HC ‘Financial Compliance Annual Report’.  The Head of Financial Compliance spoke to this item.

Noted

1393.1  [Redacted]

1393.2  [Redacted]

1393.3  [Redacted]

1393.4  [Redacted]

1393.5  [Redacted]

Resolved

1393.6 to approve that an appropriate level of assurance is provided in relation to the University’s preparedness for the Economic Crime and Corporate Transparency Act (ECCTA) 2023’s failure to prevent fraud offence;

1393.7 for anti-money laundering training completion rates to be reviewed and reported as part of the next report in March 2026.

Helen Bennett left the meeting.

1394 Major and Serious incidents Update

Received and considered paper 25/13HC ‘Major and Serious Incident Update’.  The College Registrar - College of Biomedical & Life Sciences joined the meeting to speak to this item.

Noted

1394.1 [Redacted]

1394.2 [Redacted]

1394.3 [Redacted]

1394.4 [Redacted]

1394.5 [Redacted]

1394.6 [Redacted]

Resolved

1394.7 to approve that the report provides adequate assurance for risks in this area.

Rob Davies left the meeting.

1395 Annual Risk Management Report

Received and considered paper 25/14HC ‘Annual Risk Management Report 2025’. The Chief Operating Officer and University Secretary spoke to this item.

Noted

1395.1 [Redacted]

Resolved

1395.2 to approve that the report provides adequate assurance for risks in this area.

1396 Value For Money Report

Received and considered paper 25/15C ‘Value for Money Report 2025’.  The Chief Financial Officer spoke to this item.

Noted

1396.1 that the report described the work undertaken by the University during 2024-25 to ensure that value for money was delivered for students and funders; that the paper would inform the Committee’s opinion on the adequacy and effectiveness of arrangements for value for money as part of its annual report to Council and Medr;

1396.2 that the format of the report was much improved;

1396.3 that a new Value for Money policy had been approved; implementation of the policy would lead to an embedding of the language and evidence of VfM impacts within the culture of the organisation, for example, within business cases.

Resolved

1396.4 to recommend that an appropriate level of assurance around institutional arrangements for delivery of value for money has been provided to Council for approval;

1396.5 for future iterations of the report to include some metrics, which might, for example, include progress against the USMs.

1397 Any Other Business

Noted

1397.1 no further business was discussed under this item.

1398 Review of risks identified in the risk register

The Chair spoke to this item.

Noted

1398.1 that the information received by the Committee during the meeting was accurately reflected in the risk register.

1399 Assurance of risk relating to data submitted externally

Received and considered paper 25/16C ‘Assurance of risk relating to data submitted externally’.

Resolved

1399.1 to approve that an appropriate level of assurance has been provided for the mechanisms for the assurance of our external data submissions.

1400 Annual Serious incident report

Received and considered paper 25/17HC ‘Annual Report on Serious Incidents 24-25’.

Resolved

1400.1 to approve that the Annual Report on Serious Incidents provides adequate assurance in this area of risk.

1401 Preliminary Financial Position 24-25 Final

Received and considered paper 25/18C ‘Preliminary Financial Position 24-25 Final’. The Chief Financial Officer spoke to this item.

Noted

1401.1 [Redacted]

1401.2 that the preliminary outturn included accounting adjustments for holiday pay, deferral of January start tuition fee revenue, and provision for IQE financial viability consideration; these adjustments would require review by KPMG.

1402 Items Received for Information

• 25/20 ‘Medr Accounts Direction Summary of Key Changes’
• 25/21HC ‘Whistleblowing reports’
• 25/22 ‘Schedule of Committee Business for the year ahead’

All Officers apart from the Head of Internal Audit and the Secretary left the meeting for the reserved item.

1403 In-Camera Meeting

Following the meeting of the Audit and Risk Committee, an in-camera meeting was held. The members of the Audit and Risk Committee, the external auditors, the Head of Internal Audit and the Secretary were present.  There were no points that the Committee wished to bring to the attention of the Council.

The minutes of the meeting held on 24 September 2025 were confirmed as a true and accurate record and were approved by the Committee on 12 November 2025.